AWS KMS

AWSSecurityFree tier available

Create and manage cryptographic keys for encryption at rest and in transit with AWS-managed, customer-managed, and imported keys, automatic rotation, and FIPS 140-2 validated HSMs

FluffyStack tools
Add to Service BuilderAdd to CompareCompare with equivalentsExplore AWS in TreemapExplore security in HoneycombSee AWS regions on the World MapSee security as a networkScore jurisdiction exposure
DocumentationPricingAWS website

Jurisdictional exposure

Provider HQ
USSeattle, USA

Subject to CLOUD Act, FISA-702, DPF

Region locations
APACCNEEAEUUKUSOther40 regions across 7 jurisdictions
Sovereign option
Yes — 6 sovereign-flagged regions available
Full scorecard for this service →US lens detail →Sovereign cloud coverage map →

Attributes

SLA Uptime
99.999%
Hsm Backed
Yes
Fips Compliant
Yes

Sub-services (3)

Customer Managed Keys

KMS keys you create, own, and fully control via policies

AWS Managed Keys

Service-owned keys used transparently by AWS services

Custom Key Stores

KMS keys backed by dedicated CloudHSM clusters

Compliance & Certifications

This service is attested for the following frameworks. Always verify with the provider before relying on a specific compliance posture.

GDPRSOC 2ISO 27001HIPAAPCI DSSFedRAMP

Where this runs

40 regions
28 countries
6sovereign
Sovereign regions (6)
  • AWS European Sovereign Cloud (Brandenburg) · BrandenburgAWS European Sovereign Cloud
  • AWS GovCloud (US-East) · AshburnAWS GovCloud (US)
  • AWS GovCloud (US-West) · HillsboroAWS GovCloud (US)
  • AWS European Sovereign Cloud (Brandenburg) · BrandenburgAWS European Sovereign Cloud
  • China (Beijing) · BeijingAWS China (Sinnet)
  • China (Ningxia) · YinchuanAWS China (NWCD)
Commercial regions (34)

Europe (8)

  • Europe (Paris)
  • Europe (Frankfurt)
  • Europe (Ireland)
  • Europe (Milan)
  • Europe (Spain)
  • Europe (Stockholm)
  • Europe (Zurich)
  • Europe (London)

North America (7)

  • Canada West (Calgary)
  • Canada (Central)
  • Mexico (Central)
  • US East (N. Virginia)
  • US West (Oregon)
  • US East (Ohio)
  • US West (N. California)

South America (1)

  • South America (São Paulo)

Asia (11)

  • Asia Pacific (Hong Kong)
  • Asia Pacific (Hyderabad)
  • Asia Pacific (Mumbai)
  • Asia Pacific (Jakarta)
  • Asia Pacific (Osaka)
  • Asia Pacific (Tokyo)
  • Asia Pacific (Malaysia)
  • Asia Pacific (Singapore)
  • Asia Pacific (Seoul)
  • Asia Pacific (Taipei)
  • Asia Pacific (Thailand)

Oceania (3)

  • Asia Pacific (Melbourne)
  • Asia Pacific (Sydney)
  • Asia Pacific (New Zealand)

Middle East (3)

  • Middle East (Bahrain)
  • Israel (Tel Aviv)
  • Middle East (UAE)

Africa (1)

  • Africa (Cape Town)

Tags

encryptionkeyscryptographysecuritycompliance

Equivalent services on other platforms

Azure Key VaultAzure

Centralised vault for cryptographic keys, secrets, and certificates with HSM-backed keys, managed certificate renewal, and RBAC or access-policy enforcement

Cloud KMSGCP

Cloud-hosted key management for encryption at rest with symmetric and asymmetric keys, customer-supplied keys, HSM-backed keys, and automatic rotation

Huawei Data Encryption Workshop (DEW)Huawei

Unified cryptographic services including Key Management Service for envelope encryption, Cloud Secret Management Service for secret storage and rotation, Key Pair Service for SSH key management, and Dedicated HSM for FIPS 140-2 Level 3 workloads

IBM Hyper Protect ServicesIBM

Confidential computing family built on IBM LinuxONE and Secure Execution for Linux — offers Hyper Protect Virtual Servers, Crypto Services with FIPS 140-3 Level 4 HSMs, and Database as a Service with customer-controlled keys that even IBM cannot access

OpenStack BarbicanOpenStack

Key management service for symmetric and asymmetric keys, certificates, and other secret material — pluggable backends include software KMS, HSM via PKCS#11, Vault, and KMIP-compliant appliances. Equivalent to AWS KMS / Azure Key Vault / Cloud KMS in the cross-provider mapping

OCI VaultOracle

Centralised key and secret management service with HSM-backed symmetric and asymmetric keys, automatic rotation, and envelope encryption for OCI resources

Tencent Key Management ServiceTencent

Managed cryptographic key service with customer master keys (CMKs), envelope encryption for Tencent services, automatic and manual rotation, imported key material (BYOK), Managed HSM for single-tenant FIPS 140-2 Level 3 compliance, and audit logging via CloudAudit

Pricing

Pricing model:pay-as-you-go